SSH & SFTP: Should I assign one port to each user to facilitate bandwidth monitoring?
- by BertS
There is no easy way to track real-time per-user bandwidth usage for SSH and SFTP. I think assigning one port to each user may help.
Idea of implementation
Use case
Bob, with UID 1001, shall connect on port 31001.
Alice, with UID 1002, shall connect on port 31002.
John, with UID 1003, shall connect on port 31003.
(I do not want to lauch several sshd instances as proposed in question 247291.)
1. Setup for SFTP:
In /etc/ssh/sshd_config:
Port 31001
Port 31002
Port 31003
Subsystem sftp /usr/bin/sftp-wrapper.sh
The file sftp-wrapper.sh starts the sftp server only if the port is the correct one:
#!/bin/sh
mandatory_port=3`id -u`
current_port=`echo $SSH_CONNECTION | awk '{print $4}'`
if [ $mandatory_port -eq $current_port ]
then
exec /usr/lib/openssh/sftp-server
fi
2. Additional setup for SSH:
A few lines in /etc/profile prevents the user from connecting on the wrong port:
if [ -n "$SSH_CONNECTION" ]
then
mandatory_port=3`id -u`
current_port=`echo $SSH_CONNECTION | awk '{print $4}'`
if [ $mandatory_port -ne $current_port ]
then
echo "Please connect on port $mandatory_port."
exit 1
fi
fi
Benefits
Now it should be easy to monitor per-user bandwidth usage. A Rrdtool-based application could produce charts like this:
I know this won't be a perfect calculation of the bandwidth usage: for example, if somebody launches a bruteforce attack on port 31001, there will be a lot of traffic on this port although not from Bob. But this is not a problem to me: I do not need an exact computation of per-user bandwidth usage, but an indicator that is approximately correct in standard situations.
Questions
Is the idea of assigning one port for each user is a good one?
Is the proposed setup an reliable one?
If I have to open dozens of ports for many users, should I expect a performance drawback?
Do you know a rrdtool-based application which could make the chart above?